CyberArk PAS
This Integration is part of the CyberArk Pack.#
Use the CyberArk Privileged Access Security (PAS) solution to manage users, safes, vaults, and accounts from Cortex XSOAR.
Configure CyberArkPAS on Cortex XSOAR#
- Navigate to Settings > Integrations > Servers & Services.
- Search for CyberArkPAS.
- Click Add instance to create and configure a new integration instance.
| Parameter | Description | Required |
|---|---|---|
| url | Server URL (e.g., https://example.net\) | True |
| credentials | Username | True |
| isFetch | Fetch incidents | False |
| max_fetch | Max fetch | False |
| fetch_time | First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year) | False |
| score | CyberArk PAS score (0.0-100.0) | False |
| incidentType | Incident type | False |
| insecure | Trust any certificate (not secure) | False |
| proxy | Use system proxy settings | False |
- Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
cyberark-pas-user-add#
Add a new user to the vault.
Base Command#
cyberark-pas-user-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The name of the user. | Required |
| user_type | The user type according to the license. | Optional |
| non_authorized_interfaces | The CyberArkPAS interfaces that this user is not authorized to use, e.g., - "PSM", "PSMP" | Optional |
| location | The location in the vault where the user will be created. Must begin with "\". If just "\", the vault is in the root. | Optional |
| expiry_date | The date when the user credentials expire. Must be in the following timestamp format: (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year). | Optional |
| password | The password that the user will use to log in for the first time. | Required |
| change_password_on_the_next_logon | Whether or not the user must change the user password from the second log in onward. Can be 'true' or 'false'. Default is 'true'. | Optional |
| password_never_expires | Whether the user’s password will not expire unless they decide to change it. Can be 'true' or 'false'. Default is 'false'. | Optional |
| vault_authorization | A comma-separated list of user permissions. Valid values are: AuditUsers, AddUpdateUsers, ResetUsersPasswords, ActivateUsers, AddNetworkAreas, ManageDirectoryMapping, ManageServerFileCategories, BackupAllSafes, RestoreAllSafes e.g., AddSafes,AuditUsers | Optional |
| description | Notes and comments. | Optional |
| The email address of the user. | Optional | |
| first_name | The first name of the user. | Optional |
| last_name | The last name of the user. | Optional |
| enable_user | Whether the user will be enabled upon creation. Can be 'true' or 'false'. Default is 'true'. | Optional |
| distinguished_name | The distinguished name of the user. The usage is for PKI authentication. This will match the certificate subject name or domain name. | Optional |
| profession | The profession of the user. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Users.id | Number | The unique ID of the user. |
| CyberArkPAS.Users.authenticationMethod | String | The authentication method of the user. |
| CyberArkPAS.Users.changePassOnNextLogon | Boolean | Whether or not the user must change the user password. |
| CyberArkPAS.Users.description | String | Description of the user. |
| CyberArkPAS.Users.enableUser | Boolean | Whether or not the user is enabled. |
| CyberArkPAS.Users.expiryDate | Number | The expiry date of the user credentials. |
| CyberArkPAS.Users.internet.businessEmail | String | The email address of the user. |
| CyberArkPAS.Users.lastSuccessfulLoginDate | Number | The last successful login date of the user. |
| CyberArkPAS.Users.location | String | The location in the vault where the user will be created. |
| CyberArkPAS.Users.personalDetails.profession | String | The profession of the user. |
| CyberArkPAS.Users.suspended | Boolean | Whether or not the user is suspended. |
| CyberArkPAS.Users.userType | String | The type of the user. |
| CyberArkPAS.Users.username | String | The name of the user. |
| CyberArkPAS.Users.vaultAuthorization | String | The permissions of the user. |
Command Example#
!cyberark-pas-user-add username="TestUser" password="12345Aa" change_password_on_the_next_logon=true description="new user for test" email="usertest@test.com" enable_user=true first_name="user" last_name="test" profession="testing integrations"
Context Example#
Human Readable Output#
Results#
authenticationMethod businessAddress changePassOnNextLogon componentUser description distinguishedName enableUser expiryDate groupsMembership id internet lastSuccessfulLoginDate location passwordNeverExpires personalDetails phones source suspended unAuthorizedInterfaces userType username vaultAuthorization AuthTypePass workStreet:
workCity:
workState:
workZip:
workCountry:true false new user for test true -62135578800 150 homePage:
homeEmail:
businessEmail: usertest@test.com
otherEmail:1597830302 \ false street:
city:
state:
zip:
country:
title:
organization:
department:
profession: testing integrations
firstName: user
middleName:
lastName: testhomeNumber:
businessNumber:
cellularNumber:
faxNumber:
pagerNumber:CyberArk false EPVUser TestUser
cyberark-pas-user-update#
Update an existing vault user.
Base Command#
cyberark-pas-user-update
Input#
| Argument Name | Description | Required |
|---|---|---|
| username | The name of the user. | Optional |
| user_type | User type according to the license. | Optional |
| non_authorized_interfaces | The CyberArkPAS interfaces that this user is not authorized to use, e.g., "PSM", "PSMP" | Optional |
| location | The location in the vault where the user will be created. Must begin with "\". If just "\", the vault is in the root. | Optional |
| expiry_date | The date when the user expires. Must be in the following timestamp format: (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year). | Optional |
| change_password_on_the_next_logon | Whether or not the user must change their password from the second log on onward. Can be 'true' or 'false'. Default is 'true'. | Optional |
| password_never_expires | Whether the user’s password will not expire unless they decide to change it. Can be 'true' or 'false'. Default is 'false'. | Optional |
| vault_authorization | A comma-separated list of user permissions. Valid values are: AddSafes, AuditUsers, AddUpdateUsers, ResetUsersPasswords, ActivateUsers, AddNetworkAreas, ManageDirectoryMapping, ManageServerFileCategories, BackupAllSafes, RestoreAllSafes e.g., AddSafes,AuditUsers | Optional |
| description | Notes and comments. | Optional |
| The email addresses of the user. | Optional | |
| first_name | The first name of the user. | Optional |
| last_name | The last name of the user. | Optional |
| enable_user | Whether the user will be enabled upon creation. Can be 'true' or 'false'. Default is 'true'. | Optional |
| distinguished_name | The distinguished name of the user. The usage is for PKI authentication. This will match the certificate subject name or domain name. | Optional |
| profession | The profession of the user. | Optional |
| user_id | The ID of the user to update. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Users.id | Number | The unique ID of the user. |
| CyberArkPAS.Users.authenticationMethod | String | The authentication method for the user. |
| CyberArkPAS.Users.changePassOnNextLogon | Boolean | Whether or not the user must change the user password. |
| CyberArkPAS.Users.description | String | Description of the user. |
| CyberArkPAS.Users.enableUser | Boolean | Whether or not the user is enabled. |
| CyberArkPAS.Users.expiryDate | Number | The expiry date of the user. |
| CyberArkPAS.Users.internet.businessEmail | String | The email address of the user. |
| CyberArkPAS.Users.lastSuccessfulLoginDate | Number | The last successful login date of the user. |
| CyberArkPAS.Users.location | String | The location in the vault where the user will be created. |
| CyberArkPAS.Users.personalDetails.profession | String | The profession of the user. |
| CyberArkPAS.Users.suspended | Boolean | Whether or not the user is suspended. |
| CyberArkPAS.Users.userType | String | The type of the user. |
| CyberArkPAS.Users.username | String | The name of the user. |
| CyberArkPAS.Users.vaultAuthorization | String | The permissions of the user. |
Command Example#
!cyberark-pas-user-update user_id=150 change_password_on_the_next_logon=true description="updated description" email="update@test.com" first_name="test1" last_name="updated-name" username="TestUser1" profession="test1"
Context Example#
Human Readable Output#
Results#
authenticationMethod businessAddress changePassOnNextLogon componentUser description distinguishedName enableUser expiryDate groupsMembership id internet lastSuccessfulLoginDate location passwordNeverExpires personalDetails phones source suspended unAuthorizedInterfaces userType username vaultAuthorization AuthTypePass workStreet:
workCity:
workState:
workZip:
workCountry:true false updated description true -62135578800 150 homePage:
homeEmail:
businessEmail: update@test.com
otherEmail:1597830302 \ false street:
city:
state:
zip:
country:
title:
organization:
department:
profession: test1
firstName: test1
middleName:
lastName: updated-namehomeNumber:
businessNumber:
cellularNumber:
faxNumber:
pagerNumber:CyberArk false EPVUser TestUser1
cyberark-pas-user-delete#
Delete a specific user in the vault.
Base Command#
cyberark-pas-user-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| user_id | The ID of the user to delete. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Users.Deleted | Boolean | Whether the user was deleted. |
Command Example#
!cyberark-pas-user-delete user_id=150
Context Example#
Human Readable Output#
User 150 was deleted
cyberark-pas-users-list#
Return a list of all existing users in the vault that meet the filter and search criteria.
Base Command#
cyberark-pas-users-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| filter | Retrieve users using filters. Valid values: userType, componentUser. | Optional |
| search | Search by the following values: username, first name, last name. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Users.id | Number | The unique IDs of the users. |
| CyberArkPAS.Users.authenticationMethod | String | The authentication method of the user. |
| CyberArkPAS.Users.changePassOnNextLogon | Boolean | Whether or not the users must change their password. |
| CyberArkPAS.Users.description | String | Descriptions of the users. |
| CyberArkPAS.Users.enableUser | Boolean | Whether or not the users are enabled. |
| CyberArkPAS.Users.expiryDate | Number | The expiry dates of the users. |
| CyberArkPAS.Users.internet.businessEmail | String | The email addresses of the users. |
| CyberArkPAS.Users.lastSuccessfulLoginDate | Number | The last successful login dates of the users. |
| CyberArkPAS.Users.location | String | The locations in the vault where the users were created. |
| CyberArkPAS.Users.personalDetails.profession | String | The professions of the users. |
| CyberArkPAS.Users.suspended | Boolean | Whether or not the users are suspended. |
| CyberArkPAS.Users.userType | String | The types of the users. |
| CyberArkPAS.Users.username | String | The names of the users. |
| CyberArkPAS.Users.vaultAuthorization | String | The permissions of the users. |
Command Example#
!cyberark-pas-users-list
Context Example#
Human Readable Output#
There are 2 users#
componentUser id location personalDetails source userType username vaultAuthorization false 2 \ firstName:
middleName:
lastName:CyberArk Built-InAdmins Administrator AddUpdateUsers,
AddSafes,
AddNetworkAreas,
ManageDirectoryMapping,
ManageServerFileCategories,
AuditUsers,
BackupAllSafes,
RestoreAllSafes,
ResetUsersPasswords,
ActivateUsersfalse 3 \ firstName:
middleName:
lastName:CyberArk Built-InAdmins Auditor AuditUsers
cyberark-pas-user-activate#
Activate an existing vault user who was suspended after entering incorrect credentials multiple times. Uses the V1 of the API and may change in the future.
Base Command#
cyberark-pas-user-activate
Input#
| Argument Name | Description | Required |
|---|---|---|
| user_id | The ID of the user to activate. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cyberark-pas-user-activate user_id=150
Human Readable Output#
User 150 was activated
cyberark-pas-safes-list#
Return information about all of the user’s safes in the vault.
Base Command#
cyberark-pas-safes-list
Input#
There are no input arguments for this command.
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Safes.SafeName | String | The names of the safes. |
| CyberArkPAS.Safes.Description | String | The descriptions of the safes. |
| CyberArkPAS.Safes.Location | String | The locations of the safes. |
| CyberArkPAS.Safes.ManagingCPM | String | The name of the Central Policy Manager (CPM) user who will manage the safes. |
| CyberArkPAS.Safes.NumberOfDaysRetention | Number | The number of retained versions of every password that is stored in the safes. |
| CyberArkPAS.Safes.NumberOfVersionsRetention | Number | The number of days for which password versions are saved in the safes. |
| CyberArkPAS.Safes.OLACEnabled | Boolean | Whether or not to enable Object Level Access Control (OLAC) for the safes. |
Command Example#
!cyberark-pas-safes-list
Context Example#
Human Readable Output#
There are 3 safes#
Description Location SafeName SafeUrlId \ Internal Internal \ Notification Notification \ Reports Reports
cyberark-pas-safe-get-by-name#
Return information about a specific safe in the vault.
Base Command#
cyberark-pas-safe-get-by-name
Input#
| Argument Name | Description | Required |
|---|---|---|
| safe_name | The name of the safe about which information is returned. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Safes.SafeName | String | The name of the safe. |
| CyberArkPAS.Safes.Description | String | The description of the safe. |
| CyberArkPAS.Safes.Location | String | The location of the safe. |
| CyberArkPAS.Safes.ManagingCPM | String | The name of the Central Policy Manager (CPM) user who will manage the safe. |
| CyberArkPAS.Safes.NumberOfDaysRetention | Number | The number of retained versions of every password that is stored in the safe. |
| CyberArkPAS.Safes.NumberOfVersionsRetention | Number | The number of days for which password versions are saved in the safe. |
| CyberArkPAS.Safes.OLACEnabled | Boolean | Whether or not to enable Object Level Access Control (OLAC) for the safe. |
Command Example#
!cyberark-pas-safe-get-by-name safe_name=UpdatedName1
Context Example#
Human Readable Output#
Results#
AutoPurgeEnabled Description Location ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention OLACEnabled SafeName false UpdatedSafe \ 150 true UpdatedName1
cyberark-pas-safe-add#
Add a new safe to the vault.
Base Command#
cyberark-pas-safe-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| safe_name | Name of a safe to create. | Required |
| description | Description of the new safe. | Optional |
| OLAC_enabled | Whether or not to enable Object Level Access Control (OLAC) for the new safe. Valid values are: 'true' or 'false'. Default is 'true'. | Optional |
| managing_cpm | The name of the Central Policy Manager (CPM) user who will manage the new safe. | Optional |
| number_of_versions_retention | The number of retained versions of every password that is stored in the safe. | Optional |
| number_of_days_retention | The number of days for which password versions are saved in the safe. | Optional |
| location | The location of the new safe. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Safes.SafeName | String | The name of the safe. |
| CyberArkPAS.Safes.Description | String | The description of the safe. |
| CyberArkPAS.Safes.Location | String | The location of the safe. |
| CyberArkPAS.Safes.ManagingCPM | String | The name of the Central Policy Manager (CPM) user who will manage the safe. |
| CyberArkPAS.Safes.NumberOfDaysRetention | Number | The number of retained versions of every password that is stored in the safe. |
| CyberArkPAS.Safes.NumberOfVersionsRetention | Number | The number of days for which password versions are saved in the safe. |
| CyberArkPAS.Safes.OLACEnabled | Boolean | Whether or not to enable Object Level Access Control (OLAC) for the safe. |
Command Example#
!cyberark-pas-safe-add safe_name="TestSafe1" description="safe for tests" number_of_days_retention=100
Context Example#
Human Readable Output#
Results#
AutoPurgeEnabled Description Location ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention OLACEnabled SafeName false safe for tests \ 100 true TestSafe1
cyberark-pas-safe-update#
Update a single safe in the vault.
Base Command#
cyberark-pas-safe-update
Input#
| Argument Name | Description | Required |
|---|---|---|
| safe_name | The name of the safe that will be updated. | Required |
| description | The description of the updated safe. | Optional |
| OLAC_enabled | Whether or not to enable Object Level Access Control (OLAC) for the updated safe. Valid values are: 'true' or 'false'. Default is 'true'. | Optional |
| managing_cpm | The name of the Central Policy Manager (CPM) user who will manage the updated safe. | Optional |
| number_of_versions_retention | The number of retained versions of every password that is stored in the updated safe. | Optional |
| number_of_days_retention | The number of days for which password versions are saved in the updated safe. | Optional |
| safe_new_name | The new name of the safe. | Optional |
| location | The location of the updated safe. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Safes.SafeName | String | The name of the updated safe. |
| CyberArkPAS.Safes.Description | String | The description of the updated safe. |
| CyberArkPAS.Safes.Location | String | The location of the updated safe. |
| CyberArkPAS.Safes.ManagingCPM | String | The name of the Central Policy Manager (CPM) user who will manage the safe. |
| CyberArkPAS.Safes.NumberOfDaysRetention | Number | The number of retained versions of every password that is stored in the updated safe. |
| CyberArkPAS.Safes.NumberOfVersionsRetention | Number | The number of days for which password versions are saved in the updated safe. |
| CyberArkPAS.Safes.OLACEnabled | Boolean | Whether or not to enable Object Level Access Control (OLAC) for the updated safe. |
Command Example#
!cyberark-pas-safe-update safe_name=TestSafe1 safe_new_name=UpdatedName1 description=UpdatedSafe number_of_days_retention=150
Context Example#
Human Readable Output#
Results#
AutoPurgeEnabled Description Location ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention OLACEnabled SafeName false UpdatedSafe \ 150 true UpdatedName1
cyberark-pas-safe-delete#
Delete a safe from the vault.
Base Command#
cyberark-pas-safe-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| safe_name | The name of the safe that will be deleted. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Safes.Deleted | Boolean | Whether the safe was deleted. |
Command Example#
!cyberark-pas-safe-delete safe_name=UpdatedName1
Context Example#
Human Readable Output#
Safe UpdatedName1 was deleted
cyberark-pas-safe-members-list#
Return a list of the members of the safe.
Base Command#
cyberark-pas-safe-members-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| safe_name | The name of the safe whose safe members will be listed. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Safes.Members.MemberName | String | The names of the safe members. |
| CyberArkPAS.Safes.Members.MembershipExpirationDate | Number | The expiration dates of the safe members. |
| CyberArkPAS.Safes.Members.Permissions | Unknown | The permissions of the safe members. |
| CyberArkPAS.Safes.Members.SearchIn | String | The vault or domain where the users or groups was found. |
Command Example#
!cyberark-pas-safe-members-list safe_name=UpdatedName1
Context Example#
Human Readable Output#
There are 2 safe members for UpdatedName1#
IsExpiredMembershipEnable IsPredefinedUser MemberName MemberType MembershipExpirationDate Permissions false true Administrator User UseAccounts: true
RetrieveAccounts: true
ListAccounts: true
AddAccounts: true
UpdateAccountContent: true
UpdateAccountProperties: true
InitiateCPMAccountManagementOperations: true
SpecifyNextAccountContent: true
RenameAccounts: true
DeleteAccounts: true
UnlockAccounts: true
ManageSafe: true
ManageSafeMembers: true
BackupSafe: true
ViewAuditLog: true
ViewSafeMembers: true
AccessWithoutConfirmation: true
CreateFolders: true
DeleteFolders: true
MoveAccountsAndFolders: true
RequestsAuthorizationLevel1: true
RequestsAuthorizationLevel2: falsefalse false TestUser1 User UseAccounts: true
RetrieveAccounts: false
ListAccounts: false
AddAccounts: false
UpdateAccountContent: false
UpdateAccountProperties: false
InitiateCPMAccountManagementOperations: false
SpecifyNextAccountContent: false
RenameAccounts: false
DeleteAccounts: false
UnlockAccounts: false
ManageSafe: false
ManageSafeMembers: false
BackupSafe: false
ViewAuditLog: false
ViewSafeMembers: false
AccessWithoutConfirmation: false
CreateFolders: false
DeleteFolders: false
MoveAccountsAndFolders: false
RequestsAuthorizationLevel1: false
RequestsAuthorizationLevel2: false
cyberark-pas-safe-member-add#
Add an existing user as a safe member. Uses the V1 of the API and may change in the future.
Base Command#
cyberark-pas-safe-member-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| member_name | The name of the user to add as a safe member. | Required |
| search_in | Search for the member in the vault or domain. | Optional |
| membership_expiration_date | The membership expiration date in the format MM\DD\YY. Leave empty if there is no expiration date. | Optional |
| permissions | The user’s permissions in the safe. Valid values: UseAccounts, RetrieveAccounts, ListAccounts, AddAccounts, UpdateAccountContent, UpdateAccountProperties, InitiateCPMAccountManagementOperations, InitiateCPMAccountManagementOperations, SpecifyNextAccountContent, RenameAccounts, DeleteAccounts, UnlockAccounts, ManageSafe, ManageSafeMembers, BackupSafe, ViewAuditLog, ViewAuditLog, ViewSafeMembers, AccessWithoutConfirmation, CreateFolders, DeleteFolders, MoveAccountsAndFolders e.g., UseAccounts,RetrieveAccounts | Optional |
| safe_name | The name of the safe to add a member to. | Required |
| requests_authorization_level | The request authorization levels. 0 – cannot authorize 1 – authorization level 1 2 – authorization level 2 Default is '0'. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Safes.Members.MemberName | String | The name of the safe member. |
| CyberArkPAS.Safes.Members.MembershipExpirationDate | Number | The expiration date of the safe member. |
| CyberArkPAS.Safes.Members.Permissions | Unknown | The permissions of the safe member. |
| CyberArkPAS.Safes.Members.SearchIn | String | The vault or domain where the user or group was found. |
Command Example#
!cyberark-pas-safe-member-add member_name="TestUser1" safe_name="UpdatedName1"
Context Example#
Human Readable Output#
Results#
MemberName MembershipExpirationDate Permissions SearchIn TestUser1 {'Key': 'UseAccounts', 'Value': False},
{'Key': 'RetrieveAccounts', 'Value': False},
{'Key': 'ListAccounts', 'Value': False},
{'Key': 'AddAccounts', 'Value': False},
{'Key': 'UpdateAccountContent', 'Value': False},
{'Key': 'UpdateAccountProperties', 'Value': False},
{'Key': 'InitiateCPMAccountManagementOperations', 'Value': False},
{'Key': 'SpecifyNextAccountContent', 'Value': False},
{'Key': 'RenameAccounts', 'Value': False},
{'Key': 'DeleteAccounts', 'Value': False},
{'Key': 'UnlockAccounts', 'Value': False},
{'Key': 'ManageSafe', 'Value': False},
{'Key': 'ManageSafeMembers', 'Value': False},
{'Key': 'BackupSafe', 'Value': False},
{'Key': 'ViewAuditLog', 'Value': False},
{'Key': 'ViewSafeMembers', 'Value': False},
{'Key': 'AccessWithoutConfirmation', 'Value': False},
{'Key': 'CreateFolders', 'Value': False},
{'Key': 'DeleteFolders', 'Value': False},
{'Key': 'MoveAccountsAndFolders', 'Value': False},
{'Key': 'RequestsAuthorizationLevel', 'Value': 0}vault
cyberark-pas-safe-member-update#
Update an existing safe member. Uses the V1 of the API and may change in the future.
Base Command#
cyberark-pas-safe-member-update
Input#
| Argument Name | Description | Required |
|---|---|---|
| member_name | The member name that will be updated. | Required |
| membership_expiration_date | The membership expiration date in the format MM\DD\YY. Leave empty if there is no expiration date. | Optional |
| permissions | The user’s permissions in the safe. Valid values are: UseAccounts, RetrieveAccounts, ListAccounts, AddAccounts, UpdateAccountContent, UpdateAccountProperties, InitiateCPMAccountManagementOperations, InitiateCPMAccountManagementOperations, SpecifyNextAccountContent, RenameAccounts, DeleteAccounts, UnlockAccounts, ManageSafe, ManageSafeMembers, BackupSafe, ViewAuditLog, ViewAuditLog, ViewSafeMembers, RequestsAuthorizationLevel, AccessWithoutConfirmation, CreateFolders, DeleteFolders, MoveAccountsAndFolders e.g., UseAccounts,RetrieveAccounts | Optional |
| safe_name | The name of the safe to which the safe member belongs. | Required |
| requests_authorization_level | Request authorization levels. 0 – cannot authorize 1 – authorization level 1 2 – authorization level 2 Default is: '0'. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Safes.Members.MemberName | String | The name of the safe member. |
| CyberArkPAS.Safes.Members.MembershipExpirationDate | Number | The expiration date of the safe member. |
| CyberArkPAS.Safes.Members.Permissions | Unknown | The permissions of the safe member. |
| CyberArkPAS.Safes.Members.SearchIn | String | The vault or domain where the user or group was found. |
Command Example#
!cyberark-pas-safe-member-update member_name="TestUser1" safe_name="UpdatedName1" permissions=UseAccounts
Context Example#
Human Readable Output#
Results#
MembershipExpirationDate Permissions {'Key': 'UseAccounts', 'Value': True},
{'Key': 'RetrieveAccounts', 'Value': False},
{'Key': 'ListAccounts', 'Value': False},
{'Key': 'AddAccounts', 'Value': False},
{'Key': 'UpdateAccountContent', 'Value': False},
{'Key': 'UpdateAccountProperties', 'Value': False},
{'Key': 'InitiateCPMAccountManagementOperations', 'Value': False},
{'Key': 'SpecifyNextAccountContent', 'Value': False},
{'Key': 'RenameAccounts', 'Value': False},
{'Key': 'DeleteAccounts', 'Value': False},
{'Key': 'UnlockAccounts', 'Value': False},
{'Key': 'ManageSafe', 'Value': False},
{'Key': 'ManageSafeMembers', 'Value': False},
{'Key': 'BackupSafe', 'Value': False},
{'Key': 'ViewAuditLog', 'Value': False},
{'Key': 'ViewSafeMembers', 'Value': False},
{'Key': 'AccessWithoutConfirmation', 'Value': False},
{'Key': 'CreateFolders', 'Value': False},
{'Key': 'DeleteFolders', 'Value': False},
{'Key': 'MoveAccountsAndFolders', 'Value': False},
{'Key': 'RequestsAuthorizationLevel', 'Value': 0}
cyberark-pas-safe-member-delete#
Remove a specific member from a safe. Uses the V1 of the API and may change in the future.
Base Command#
cyberark-pas-safe-member-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| safe_name | The name of the safe to delete a member from. | Required |
| member_name | The name of the safe member to delete from the safe’s list of members. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Safes.Members.Deleted | Boolean | Whether the safe member was deleted. |
Command Example#
!cyberark-pas-safe-member-delete member_name=TestUser1 safe_name=UpdatedName1
Context Example#
Human Readable Output#
Member TestUser1 was deleted from UpdatedName1 safe
cyberark-pas-account-add#
Add a new privileged account or SSH key to the vault.
Base Command#
cyberark-pas-account-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| account_name | The name of the account. | Required |
| address | The name or address of the machine where the account will be used. | Required |
| platform_id | The platform assigned to this account. | Required |
| safe_name | The name of the safe where the account will be created. | Required |
| secret_type | The type of password. Valid values are: 'password', 'key'. Default is 'password'. | Optional |
| username | The The user name of the account. | Required |
| password | The password that the user will use to log on for the first time. | Required |
| properties | Object containing key-value pairs to associate with the account, as defined by the account platform. e.g., {"Location": "IT", "OwnerName": "MSSPAdmin"} | Optional |
| automatic_management_enabled | Whether the account secret is automatically managed by the Central Policy Manager (CPM). Can be 'true' or 'false'. Default is 'true'. | Optional |
| manual_management_reason | The reason for disabling automatic secret management. | Optional |
| remote_machines | List of remote machines, separated by semicolons. e.g., server1.cyberark.com;server2.cyberark.com | Optional |
| access_restricted_to_remote_machines | Whether or not to restrict access to specified remote machines only. Can be 'true' or 'false'. Default is: 'true'. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Accounts.id | String | The unique ID of the account. |
| CyberArkPAS.Accounts.categoryModificationTime | Number | The last modified date of the account. |
| CyberArkPAS.Accounts.createdTime | Number | The date the account was created. |
| CyberArkPAS.Accounts.name | String | The name of the account. |
| CyberArkPAS.Accounts.platformId | String | The platform assigned to this account. |
| CyberArkPAS.Accounts.safeName | String | The safe where the account is created. |
| CyberArkPAS.Accounts.secretManagement | String | Whether the account secret is automatically managed by the CPM. |
| CyberArkPAS.Accounts.secretType | String | The type of password. |
| CyberArkPAS.Accounts.userName | String | The name of the account user. |
| CyberArkPAS.Accounts.address | String | The name or address of the machine where the account will be used. |
Command Example#
!cyberark-pas-account-add safe_name=TestSafe1 account_name=TestAccount1 address=/ password=12345Aa platform_id=WinServerLocal username=TestUser
Context Example#
Human Readable Output#
Results#
address categoryModificationTime createdTime id name platformId safeName secretManagement secretType userName / 1597863168 1597863168 89_3 TestAccount1 WinServerLocal TestSafe1 automaticManagementEnabled: true
lastModifiedTime: 1597848768password TestUser
cyberark-pas-account-delete#
Delete a specific account in the vault.
Base Command#
cyberark-pas-account-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| account_id | The unique ID of the account to delete. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Accounts.Deleted | Boolean | Whether the safe was deleted. |
Command Example#
!cyberark-pas-account-delete account_id= 89_3
Context Example#
Human Readable Output#
Account 89_3 was deleted
cyberark-pas-account-update#
Update the details of an existing account.
Base Command#
cyberark-pas-account-update
Input#
| Argument Name | Description | Required |
|---|---|---|
| account_id | The unique ID of the account to update. | Required |
| account_name | The name of the account to update. | Optional |
| address | The name or address of the machine where the account will be used. | Optional |
| platform_id | The platform assigned to this account. | Optional |
| username | The user name of the account. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Accounts.id | String | The unique ID of the account. |
| CyberArkPAS.Accounts.categoryModificationTime | Number | The last modified date of the account. |
| CyberArkPAS.Accounts.createdTime | Number | The date the account was created. |
| CyberArkPAS.Accounts.name | String | The name of the account. |
| CyberArkPAS.Accounts.platformId | String | The platform assigned to this account. |
| CyberArkPAS.Accounts.safeName | String | The safe where the account was created. |
| CyberArkPAS.Accounts.secretManagement | String | Whether the account secret is automatically managed by the CPM. |
| CyberArkPAS.Accounts.secretType | String | The type of password. |
| CyberArkPAS.Accounts.userName | String | The user name of the account. |
| CyberArkPAS.Accounts.address | String | The name or address of the machine where the account will be used. |
Command Example#
!cyberark-pas-account-update account_id= 89_3 account_name=NewName
Context Example#
Human Readable Output#
Results#
address categoryModificationTime createdTime id name platformId safeName secretManagement secretType userName / 1597863168 1597863168 89_3 NewName WinServerLocal TestSafe1 automaticManagementEnabled: true
lastModifiedTime: 1597848768password TestUser
cyberark-pas-accounts-list#
Return a list of all the accounts in the vault.
Base Command#
cyberark-pas-accounts-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| search | List of keywords to search for in the accounts. Separated with a space, e.g,. Windows admin | Optional |
| sort | Property or properties by which to sort the returned accounts. The properties are followed by a comma and then 'asc' (default) or 'desc' to control the sort direction, e.g., Windows,asc | Optional |
| offset | The offset of the first account that is returned in the collection of results. Default is '0'. | Optional |
| limit | Maximum number of accounts in the returned list. Default is '50'. | Optional |
| filter | Search for accounts filtered by a specific safe, e.g., safeName eq 'mySafe'. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Accounts.id | String | The unique IDs of the accounts. |
| CyberArkPAS.Accounts.categoryModificationTime | Number | Last modified dates of the accounts. |
| CyberArkPAS.Accounts.createdTime | Number | Date the account was created. |
| CyberArkPAS.Accounts.name | String | The names of the accounts. |
| CyberArkPAS.Accounts.platformId | String | The platforms assigned to these accounts. |
| CyberArkPAS.Accounts.safeName | String | The safes where the accounts were created. |
| CyberArkPAS.Accounts.secretManagement | String | Whether the accounts secrets were automatically managed by the CPM. |
| CyberArkPAS.Accounts.secretType | String | The type of passwords. |
| CyberArkPAS.Accounts.userName | String | The user names of the accounts. |
| CyberArkPAS.Accounts.address | String | The names or addresses of the machine where the accounts are used. |
Command Example#
!cyberark-pas-accounts-list limit=2
Context Example#
Human Readable Output#
There are 2 accounts#
address categoryModificationTime createdTime id name platformAccountProperties platformId safeName secretManagement secretType userName string 1594569595 1594573679 2_6 account1 Oracle VaultInternal automaticManagementEnabled: true
lastModifiedTime: 1594559279password string string 1583345933 1573127750 2_3 cybr WinDomain VaultInternal automaticManagementEnabled: false
manualManagementReason: NoReason
lastModifiedTime: 1573109750password vault
cyberark-pas-account-get-list-activity#
Returns the activities of a specific account that is identified by its account ID.
Base Command#
cyberark-pas-account-get-list-activity
Input#
| Argument Name | Description | Required |
|---|---|---|
| account_id | The ID of the account whose activities will be retrieved. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Activities.Action | String | The activity that was performed. |
| CyberArkPAS.Activities.ActionID | Number | The code identification of the specific activity. |
| CyberArkPAS.Activities.Alert | Boolean | Whether or not the activity caused an alert. |
| CyberArkPAS.Activities.ClientID | String | The name of the account. |
| CyberArkPAS.Activities.Date | Number | The date the account was created. |
| CyberArkPAS.Activities.MoreInfo | String | More information about the activity. |
| CyberArkPAS.Activities.Reason | String | The reason given by the user for the activity. |
| CyberArkPAS.Activities.User | String | The user who performed the activity. |
Command Example#
!cyberark-pas-account-get-list-activity account_id= 89_3
Context Example#
Human Readable Output#
Results#
Action ActionID Alert ClientID Date MoreInfo Reason User Rename File 124 false 1 1597863265 NewName Administrator Add File Category 105 false 1 1597863168 CreationMethod Value=[ABC] Administrator
cyberark-pas-account-get-details#
Returns information for the specified account, identified by the account ID.
Base Command#
cyberark-pas-account-get-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| account_id | The ID of the account for which to retrieve information. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.Accounts.id | String | The unique ID of the account. |
| CyberArkPAS.Accounts.categoryModificationTime | Number | The date the account was last modified. |
| CyberArkPAS.Accounts.createdTime | Number | The date the account was created. |
| CyberArkPAS.Accounts.name | String | The name of the account. |
| CyberArkPAS.Accounts.platformId | String | The platform assigned to this account. |
| CyberArkPAS.Accounts.safeName | String | The safe where the account is created. |
| CyberArkPAS.Accounts.secretManagement | String | Whether the account secret is automatically managed by the CPM. |
| CyberArkPAS.Accounts.secretType | String | The type of password. |
| CyberArkPAS.Accounts.userName | String | The name of the account user. |
| CyberArkPAS.Accounts.address | String | The name or address of the machine where the account will be used. |
Command Example#
!cyberark-pas-account-get-details account_id=46_7
Context Example#
Human Readable Output#
Results#
address categoryModificationTime createdTime id name platformAccountProperties platformId safeName secretManagement secretType userName address 1597581174 1595431869 46_7 Operating System-UnixSSH UseSudoOnReconcile: No
Tags: SSHUnixSSH Linux Accounts automaticManagementEnabled: true
status: success
lastModifiedTime: 1595417469
lastReconciledTime: 1576120341password user1
cyberark-pas-credentials-change-in-vault-only#
Enable users to set account credentials and change them in the vault.
Base Command#
cyberark-pas-credentials-change-in-vault-only
Input#
| Argument Name | Description | Required |
|---|---|---|
| account_id | The unique ID of the account. | Required |
| new_credentials | The new account credentials that will be allocated to the account in the vault. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cyberark-pas-credentials-change-in-vault-only account_id=89_4 new_credentials=1234Asw
Human Readable Output#
The password in the account 89_4 was changed
cyberark-pas-credentials-verify#
Mark an account for verification by the Central Policy Manager (CPM).
Base Command#
cyberark-pas-credentials-verify
Input#
| Argument Name | Description | Required |
|---|---|---|
| account_id | The unique ID of the account. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cyberark-pas-credentials-verify account_id=89_4
Human Readable Output#
The account 89_4 was marked for verification by the CPM
cyberark-pas-credentials-reconcile#
Mark an account for automatic reconciliation by the Central Policy Manager (CPM).
Base Command#
cyberark-pas-credentials-reconcile
Input#
| Argument Name | Description | Required |
|---|---|---|
| account_id | The unique ID of the account. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cyberark-pas-credentials-reconcile account_id=89_4
Human Readable Output#
The account 89_4 was marked for automatic reconciliation by the CPM.
cyberark-pas-credentials-change-random-password#
Mark an account for an immediate credentials change by the CPM to a new random value.
Base Command#
cyberark-pas-credentials-change-random-password
Input#
| Argument Name | Description | Required |
|---|---|---|
| account_id | The unique ID of the account. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cyberark-pas-credentials-change-random-password account_id=89_4
Human Readable Output#
The password in the account 89_4 was changed
cyberark-pas-credentials-change-set-new-password#
Enable users to set the account's credentials to use for the next Central Policy Manager (CPM) change.
Base Command#
cyberark-pas-credentials-change-set-new-password
Input#
| Argument Name | Description | Required |
|---|---|---|
| account_id | The unique ID of the account. | Required |
| new_credentials | The new account credentials that will be allocated to the account in the vault. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cyberark-pas-credentials-change-set-new-password account_id=89_4
Human Readable Output#
The password in the account 89_4 was changed
cyberark-pas-security-events-get#
Return all Privileged Threat Analytics (PTA) security events.
Base Command#
cyberark-pas-security-events-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| start_time | The starting date to get the security events from. Must be in the following timestamp format: (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year). | Required |
| limit | The number of events that will be shown, from newest to oldest. Default is '50'. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkPAS.SecurityEvents.id | Number | The unique ID of the security events. |
| CyberArkPAS.SecurityEvents.additionalData | String | Additional data about the security events. |
| CyberArkPAS.SecurityEvents.audits.createTime | Number | The time the security events were created. |
| CyberArkPAS.SecurityEvents.lastUpdateTime | Number | The last update time of the security events. |
| CyberArkPAS.SecurityEvents.mStatus | String | The status of the security events. |
| CyberArkPAS.SecurityEvents.score | Number | The score of the security events. |
| CyberArkPAS.SecurityEvents.type | String | The type of the security events. |
Command Example#
!cyberark-pas-security-events-get start_time="3 days" limit=2
Context Example#
Human Readable Output#
Results#
additionalData audits createTime id lastUpdateTime mStatus score type station: 1.1.1.1
reason: ip
vault_user: administrator{'id': '1', 'type': 'VAULT_LOGON', 'sensorType': 'VAULT', 'action': 'Logon', 'createTime': 1597864497000, 'vaultUser': 'Administrator', 'source': {'mOriginalAddress': '1.1.1.1', 'mResolvedAddress': {'mOriginalAddress': '1.1.1.1', 'mAddress': '1.1.1.1', 'mHostName': '1-2-3-4', 'mFqdn': '1-2-3-4'}}, 'cloudData': {}} 1597864497000 1 1597864497000 OPEN 25.751749103263528 VaultViaIrregularIp station: 1.1.1.1
reason: ip
vault_user: administrator{'id': '2', 'type': 'VAULT_LOGON', 'sensorType': 'VAULT', 'action': 'Logon', 'createTime': 1597864209000, 'vaultUser': 'Administrator', 'source': {'mOriginalAddress': '1.1.1.1', 'mResolvedAddress': {'mOriginalAddress': '1.1.1.1', 'mAddress': '1.1.1.1', 'mHostName': '1-2-3-4', 'mFqdn': '1-2-3-4'}}, 'cloudData': {}} 1597864209000 2 1597864209000 OPEN 25.751749103263528 VaultViaIrregularIp